Perry: I share your feelings in this matter, great message (but I made
some comments, see below). I'll appreciate the relevant Verizon URL so
I'll add them to the Hall of Shame. Notice I already have several banks
there, including Chase (which you also mentioned), and brokers,
including CitiGroup's SmithBarney... And security companies including MS
Passport and EquiFax... More examples welcome (I'll also add
`contributors` gladly). Thanks, Amir
Perry E. Metzger wrote:
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
That's why Citibank and most well run bank sites have you click on a
button on the front page to go to the login screen. There are ways to
handle this correctly.
There's an attack there, too -- one can divert the link to the login
screen.
Certainly, but at least then, the URL and the certificate won't point
at Amex (or whomever). If you train your users properly, then they can
avoid trouble even then.
Agreed. SSL is designed to protect against a MITM attacker, not a mere
eavesdropper (for protecting only against eavesdroppers, we don't need
certificates, DH would suffice, right?). Indeed, current browser
security indicators are terrible, but that's why we do all this work on
secure usability, resulting in improved indicators (our TrustBar, and
a host of others by now; every competent security person should use one
and take care it's doing good job and not violating privacy). I firmly
hope and believe this will soon be adopted by browsers, the IE people
essentially told me they will, and some new browsers (NS, Ophera)
already improved to some extent.
In the current case, by the time you see that there is a problem, it
is too late. Furthermore, you're training your users to engage in a
bad behavior. This is no different than Microsoft training their users
to mindlessly open .exe files for years and years, only to reap the
whirlwind when email viruses came along.
Well, of course, Microsoft are also training their users to enter
passwords into unprotected login page, just like Amex - see the entry
for MS Passport in the Hall of Shame... And btw, I had a long dialog
with an exec in MS about it, and she actually _agreed_ and promised to
fix it long ago, I'll ask her again how come nothing happens...
The right behavior to encourage for people is "never enter in your
userid and password for an important account on a page that you don't
trust". They're training people to do the opposite.
The other major offender are organizations (such as portions of
Verizon) that subcontract payment systems to third parties. They are
training their users to expect to be directed to a site they don't
recognize to enter in their credit card information. "Really! This is
your vendor's payment site! Pay no attention to the URL and
certificate!"
That one in particular takes amazing brains...
Examples will be added to the Hall of shame...
It's a tough problem: they want to outsource the payment processing,
but don't have the infrastructure to do so properly.
They could delegate a "payments.verizon.com" DNS entry and hand the
processor a "payments.verizon.com" certificate, with an expiry date
quite similar to the date when their contract is up for renewal.
I'd like to make my position on one thing here really clear, by the
way.
Since when is it considered acceptable to slack on fiduciary
responsibility on the excuse that it is annoying and requires effort?
No one would accept a bank saying "accounting is boring, and hard to
do right, so we aren't going to keep track of your balance very well
any more." No one would accept "we've decided that paying for a proper
vault is expensive, so we're keeping your safe deposit box in the mens
room." How is proper network security any different? This is a
BANK. Keeping your money secure is what they are paid to do!
Absolutely, and I've also confirmed this by few lawyers...
Yes, it takes thought, planning, and some skill to have online
security for a financial institution, but no one is obligated to own
or run a bank. If you run a mortuary, you will have to deal with
corpses. If you run a bank, you have to be mindful of security in
handling money.
As for merchants like Verizon, there is really no excuse for a
for being unable to figure out how to process online credit
card payments safely, whether on their own or through a contractor. No
one obligates them to be in business, but if they're going to be, they
have a duty to do things like keeping accurate customer accounts,
paying their taxes, keeping track of who their shareholders are, and,
yes, making sure that they deal with credit card acceptance
non-hazardously. I know it is all a pain in the ass, but if one wants
an easier life, one should be a subsistence farmer instead of a
multinational corporation.
Sure, I'd love not to have to deal with the annoying things I have to
deal with, and I'd love not to have to pay my mortgage on time, and
I'd love a pony and a mountain of gold. I'm an adult, though, so I
accept that I can't have everything I want and I need to fulfill my
obligations. Are we to expect less of AMERICAN EXPRESS? Of VERIZON?
That's a non-starter as far as I'm concerned. If you want to have
a life of excuses, you don't get to play with the grownups.
Perry
.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
